[Blink] Blink stores plain word passwords in its config file?

Dan Pascu dan at ag-projects.com
Wed Nov 24 09:42:35 CET 2010


On 24 Nov 2010, at 00:41, Juha Heinanen wrote:
> Dan Pascu writes:
>
>> The conclusion is that either you use a desktop system you own and
>> you're your own root user so you trust yourself implicitly, or you  
>> run
>> on a system owned by someone you trust. Otherwise there is no
>> protection against a root user that is willing and determined to read
>> your files or to know what you type on the keyboard.
>
> the conclusion is wrong.

I disagree.

>  i can own my own system and it may get lost/stolen.

It will not matter if the password is encrypted or not. All it takes  
is a print in the blink code after blink has decoded the encrypted  
password. The only way to prevent this is if the password is not  
stored but blink asks for it every time, so you need the actual owner  
to input it before it will be known. But even this will not guarantee  
you security, since someone may stole it while blink is already  
running or may not stole your system at all, but he will just modify  
the software to log the typed password to a file.

If you're that worried about it being stolen/lost, you should encrypt  
your filesystem anyway, because I guess you have much more sensitive  
information on it that a sip client password.

--
Dan









More information about the Blink mailing list